How the FBI deploys the software is not clear, but there's no really good way to do it. The cleanest, surest way, would be to have physical access to the computer and manually install it, but that probably isn't often possible. The EFF cites reports that the FBI has, in the past "...sent a URL via MySpace's internal messaging, pointing to code that would install the spyware by exploiting a vulnerability in the user's browser." Such methods aren't foolproof, and the documents also discuss problems the Bureau has had deploying the software. On the whole, the FBI probably acts as, and has the same problems as, any targeted attacker.

The EFF also describes how the FBI struggled with determining the proper legal authorization for using the software. They settled on a "two-step request:" "a search warrant to authorize intrusion into the computer, and then a subsequent Pen/Trap order to authorize the surveillance done by the spyware."

There are plenty of problems with putting persistent malware on users' systems. It could be found by quality security measures. It could interfere with other software. On top of everything else, you need to have an effective method for remote uninstallation if the circumstances warrant.

But there's no real substitute for host-resident malware for surveillance. It's not on the list of monitored items, but if they wanted to "tap" the actual traffic to and from the computer, any surveillance from the network could be defeated by encryption. As the EFF notes, it also serves to narrowly target the suspect, which is preferable to expanding measures to make it easier for the government to monitor the Internet more generally. These are the EFF's real target and, ironically perhaps, the EFF doesn't seem to have much of a problem in principle with CIPAV-type monitoring.